All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REGEX in blacklist doesn't work as intended

osakachan
Communicator
‎07-13-2021 05:06 AM

Hello folks,

 

I encountered a problem when trying to filter events from WinEventLog and EventCode 4662.  When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.

 

blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))"

I tried some changes to the regex but I do not find a solution for this. Thanks for your time.

Labels (2)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-13-2021 06:26 PM

@osakachan  Can you check are you following allowed regex its little different from PCRE- inputs.conf - Splunk Documentation

0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎07-13-2021 08:38 AM

Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

 

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...